Privilege Escalation via Account Takeover on NodeBB Forum Software (512$)

InfoSec Write-ups – Medium–

Privilege Escalation via Account Takeover on NodeBB Forum Software — Bug Bounty (512$)

Hello Guys !

I hope you all doing well. ✌️

About a month ago, I told you that I found an Account Takeover vulnerability in a web application as in the screenshot below. With the new patch coming to the web application with the vulnerability, I can now share with you how I found the vulnerability.

This is my first bug bounty write-up so im writing P1 qualified vulnerability.,

Lets talk about it.

When I made the tests for NodeBB forum software, I found that the password of the every user account can be changed.

Now I will tell you the steps to exploit this vulnerability.

  1. First of all, to determine the “admin” user’s uid :

https://try.nodebb.org/uid/*

I tried numbers on the place marked with an asterisk(*) and I find that the uid value of the admin account is 1.

https://try.nodebb.org/uid/1 -> https://try.nodebb.org/user/admin

2- I created a user whose name is “testuser1” for myself.

3- I went to the password change page from my user profile and i entered our current password in the first box.Then I wrote in the second and third boxes that the passwords which we want to change.

4- Then, before press the submit button, I opened the Burp Suite, which has a proxy options and I replaced the uid value on the request with 1, which is the uid value of the admin user, and I sent the request.

5- I wrote “admin” in the user name box and the password i wrote in step 5 in the password box.

6- Thus, I obtained the account of the “admin” user.

Thus, thanks to this vulnerability I found in NodeBB company, I won a prize of 512 Dollars. 🏆🏆🏆

You can click the link below to view the NodeBB Forum Software’s Hall of Fame list.

https://blog.nodebb.org/bounty/

Below is the link to the github page, which contains information that the vulnerability has been closed.

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7

I hope you guys learn something from it and if so give a high five. ✋

Thank you for reading my article. You can reach me at the links below.

Healthy days ! 😷

https://twitter.com/erenuyguun

https://www.linkedin.com/in/3ren-uygun/


Privilege Escalation via Account Takeover on NodeBB Forum Software (512$) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s